stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
75de089ee8db33cf7d7451b53036b5d05067fb4b
git.stella-ops.org/devops/vuln/query-hash-metrics.md
StellaOps Bot c786faae84 CD/CD consolidation
2025-12-26 18:11:06 +02:00

1.0 KiB
Raw Blame History

Vuln Explorer query-hash metrics spec (DEVOPS-VULN-29-003)

Metrics to emit

  • vuln_query_hashes_total{tenant,query_hash,route,cache="hit|miss"}
  • vuln_api_payload_bytes_bucket{direction="request|response"}

Hashing rules

  • Hash canonicalised query body (sorted keys, trimmed whitespace) with SHA-256.
  • Salt: deployment-specific (e.g., Telemetry:QueryHashSalt), 32 bytes hex.
  • Store only hash; never log raw filters.
  • Truncate any string field >128 chars before hashing to control cardinality.

Logging filter

  • Drop fields named email, userId, principalName; replace with [redacted] before metrics/logging.
  • Retain tenant, route, status, durationMs, query_hash.

Prometheus exemplar tags (optional)

  • Add trace_id as exemplar if traces enabled; do not add request bodies.

Acceptance checks

  • Unit test: hashed query string changes when salt changes; raw query not present in logs.
  • Prometheus snapshot test: scrape and assert presence of vuln_query_hashes_total and payload histograms.